Securing an application

I´m rewriting part of a web application for a client to make it a bit more secure. I have to admin, I know very little about bigip boxes. Howeve, my customer has one, and I would like to use as much of its cababilities as posible.

 

 

Let me tell you the issue today. My customer does authentication over http, once the user sends a valid username password pair, the server responds with a session cookie. My customer does not want the password to be sent in the clear (that makes sence, we can use ssl). However this only closes the door not the windows, since its session the session cookie still is sent in the clear and its not signed (so it can be copied to another machine).

 

 

I read that bigIp can encrypt the cookie, but i have not seen that the cookie is signed, so even do I can not read inside of the cookie I can still copy it to another machine.

 

 

My sugestion is to change the login process to ssl and use a secure cookie in adition to session cookie. When the user enters parts of the application where i need to verify that the user is still the same person who logged in, I will redirect the user to ssl, and verify that the secure cookie still set. What I don´t know is how big ip handles this. The recuest comes from the client in ssl, the big ip decrypts the ssl and sends the recuest to the Http server. When big ip does this what does it do with secure cookies, are they forwarded to the http server ? Is the cookie still secure ? Can the http server set a secure cookie, even do the connection between the http server and big ip is not secure?

 

 

On the other hand, can bigip secure the app for me without me doing anything like this.

 

 

 

Thank You for any advice.